Published: Jul 18, 2024
Key Takeaways:
- Microsoft introduced Inbound SMTP DANE with DNSSEC for Exchange Online, aiming to protect email communications against TLS-downgrade and man-in-the-middle attacks.
- This new capability is available at no additional cost for enterprise and consumer email offerings.
- The feature will be generally available worldwide in October, with IT admins needing to enable it manually via the Exchange Online management module.
Microsoft has announced the public preview of Inbound SMTP DANE with DNSSEC support for Exchange Online, marking a significant step in bolstering email security. This feature aims to protect against TLS downgrade and adversary-in-the-middle attacks to ensure secure, unaltered communication.
SMTP DANE (DNS-based Authentication of Named Entities) is a security protocol that uses DNS records to verify certificates used to protect email communication with Transport Layer Security (TLS). This protocol is designed to prevent spoofing and Man-in-the-Middle (MITM) attacks.
On the other hand, DNSSEC (Domain Name System Security Extensions) adds cryptographic signatures to DNS records to ensure responses come from legitimate authoritative servers. It prevents several types of attacks related to DNS data integrity and authenticity, including DNS spoofing and domain hijacking.
In March 2022, Microsoft added outbound support for SMTP DANE with DNSSEC to Exchange Online. However, this feature required commercial customers to have Microsoft 365 E5 licenses, which surprised many and led to widespread criticism.
In Exchange Online, Inbound SMTP DANE with DNSSEC will help customers protect their email domains from impersonation. Additionally, it ensures that encrypted messages reach their intended recipients without alterations or redirection. Organizations can also improve the reliability of email communications by adhering to the latest security practices.
According to Microsoft, the public preview of Inbound support for SMTP DANE with DNSSEC doesn’t require any high-end licenses. “We are including Inbound SMTP DANE with DNSSEC in our enterprise and consumer email offerings at no charge as part of our efforts to improve email security for everyone. We urge other email providers and domain owners to adopt these standards and collectively raise the bar for email security and protect users from malicious actors,” the Exchange team explained.
Keep in mind that this capability will be disabled by default, and IT admins will need to install the Exchange Online management module v3.5.1 to access the Enable-DnssecForVerifiedDomain cmdlet. However, some customers may need to wait a few days for the cmdlet to become available in their tenants.
Microsoft notes that administrators will be able to access Inbound SMTP DANE with DNSSEC and the MTA-STS report in the Exchange admin center next month. The security feature will be generally available to all customers worldwide in October.
Currently, Microsoft has rolled out inbound support for SMTP DANE with DNSSEC for select Outlook email domains. The company plans to extend this feature to all Outlook domains (such as Hotmail.com and Outlook.com) by the end of this year.
Microsoft is committed to providing advanced email protection for its commercial customers. In recent years, the company has implemented various measures to enhance the security of Exchange Online email services. For instance, in May 2023, Microsoft blocked old on-premises servers from sending messages to Exchange Online via an inbound connector.